FORTINET has patched two critical flaws affecting FortiSandbox and FortiAuthenticator, which could allow attackers to remotely execute code on unpatched systems.
The first vulnerability, CVE-2026-44277, is an improper access control issue in FortiAuthenticator that could let an unauthenticated attacker execute unauthorized code or commands via crafted requests, with affected FortiAuthenticator versions including 8.0.0 up to 8.0.2 (upgrade to 8.0.3 or above) and 8.0.0 (upgrade to 8.0.3 or above); FortiAuthenticator 6.6.0 through 6.6.8 should upgrade to 6.6.9 or above, and FortiAuthenticator 6.5.0 through 6.5.6 should upgrade to 6.5.7 or above.
The second flaw, CVE-2026-26083, is a missing authorization issue in FortiSandbox that could allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests, potentially enabling remote code execution on vulnerable systems. Neither flaw has been observed in the wild, and Fortinet’s Adham El Karn from the Fortinet Product Security team reportedly discovered and reported the issue internally. According to Fortinet's PSIRT advisories, FortiAuthenticator Cloud is unaffected.